rule malware_windows_moonlightmaze_loki2crypto
{
    meta:
        description = "Rule to detect hardcoded DH modulus used in 1996/1997 Loki2 sourcecode; #ifdef STRONG_CRYPTO /* 384-bit strong prime */"
        reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
        author = "Costin Raiu, Kaspersky Lab"
        md5_1 = "19fbd8cbfb12482e8020a887d6427315"
        md5_2 = "ea06b213d5924de65407e8931b1e4326"
        md5_3 = "14ecd5e6fc8e501037b54ca263896a11"
        md5_4 = "e079ec947d3d4dacb21e993b760a65dc"
        md5_5 = "edf900cebb70c6d1fcab0234062bfc28"
    strings:
        $modulus = {DA E1 01 CD D8 C9 70 AF C2 E4 F2 7A 41 8B 43 39 52 9B 4B 4D E5 85 F8 49}
    condition:
        $modulus
}
